President-elect Barack Obama recently announced that he will appoint the very first national Chief Technology Officer as a part of his administration. It seems a good idea: the yet-to-be-named CTO will be charged with ensuring that the government and all its agencies have the right infrastructure, policies and services in place for the 21st century. Unfortunately, a CTO might not be the best resource to solve the most pressing issue for the Federal IT infrastructure. The problem is not so much a lack of vision, but rather a lack of IT security. What the nation really needs is a chief information security officer.
The Obama campaign has had direct experience with the consequences of weak IT security. Following Mr. Obama’s victory in the presidential election, it was revealed that the computers of both the McCain and Obama campaigns were compromised. Currently, published reports indicate that the most likely culprit is “an unknown foreign entity.” Though the Obama campaign’s online donation records were apparently unscathed, a large number of strategic documents had been transferred from their networks while their network administrators remained unaware. The Obama campaign hired an IT security firm to patch the breach and strengthen security; according to the firm, they suspected Russia or China had been behind the attack, hoping to gain intelligence that would provide a stronger hand in negotiations with the winner of the presidential election.
Evidence is mounting that the IT security position of the U.S. Federal Government itself may be catastrophically weak. The White House’s e-mail archive system, for example, was recently penetrated and emailed messages between top officials were accessed. In August of 2008, news broke that the FBI uncovered a break-in to the Federal Emergency Management Agency’s phone system, allowing a hacker to make more than $12,000 worth of calls to foreign countries. This fall it was reported that dozens of Department of Homeland Security computers were compromised and sensitive information was transferred to Chinese Web sites. These are just a few of the publically known incidents; one can suppose that there were many more that have remained secret.
Further, Supervisory Control and Data Acquisition (SCADA) systems that control the vital infrastructure of industrial operations such as power generation, water treatment, oil and gas pipelines, and a myriad of major industrial applications, are sometimes connected to the public Internet in one fashion or another to support business demands. In the process it has been reported that some of these systems are presented with undetected vulnerabilities—”leaks” to the Internet. In one widely publicized incident occurring in March of this year, the Hatch Nuclear Power Plant in Georgia went through an emergency shutdown as a result of a software update that was made on the plant’s business network, which was improperly linked to the SCADA system. Administrators were aware of the link, but did not realize it was a two-way connection. As a result, a synchronization of the corporate network erased data in the SCADA system, which triggered an alarm shutting down the entire plant. Here we see an illustration of how the line between our nation’s physical security and the need for cyber security is blurred.
As far back as February, 2003, the White House released its National Strategy to Secure Cyberspace, which coincided with the launch of the then-brand-new Department of Homeland Security. The strategic goals were to prevent cyber attacks against America’s critical infrastructures, reduce national vulnerability to cyber attacks, and minimize damage and recovery time from cyber attacks that do occur.
Since that announcement, the Bush administration has kept many of the components of its cyber security strategy secret, announcing only occasional details and very few notifications about substantive progress in the programs. In fact, the nation only learned in January about the components of the Comprehensive National Cyber security Initiative (CNCI).
These components include: the Trusted Internet Connections (TIC) program, which seeks to reduce the number of Internet connections that Federal agencies employ and to harden security on those connections; intrusion detection and prevention, which aims to keep interlopers from intruding and find those who succeed; situational awareness through the National Cyber Security Center, which would keep track of current and potential threats; classified network security, which protects our most vital secrets, and cyber education, which lays the groundwork for the future of IT security.
With the possible exception of the TIC program, there have been virtually no announcements of progress with respect to the stated initiatives. This is particularly disconcerting given the White House’s assertion that “the healthy functioning of cyberspace is essential to our economy and our national security.”
The good news is that the industry continues to develop and advance tools and techniques to avert these potential attacks. This knowledge and these tools are a tremendous resource available to the U.S. Federal Government. While it is true that no CSO will be able to prevent every possible attack, we have the capabilities today to greatly reduce the potential impact of known vulnerabilities.
It has been suggested by members of the current administration that the Federal Government may seek to develop innovations on its own along these lines, and then as a secondary thought, reach out to the key visionaries in industry to validate or enhance those viewpoints. While there is tremendous respect for the talent that our public servants possess in cyber security and related arenas, the next administration should not forget that the free market economy drives innovation and the government should avail themselves of the benefits of that innovation.
The demand for large commercial enterprises to secure network interests has driven innovation in network assurance and security. There are solutions available to proactively secure the infrastructure against these potential risks and to avert possible attacks. Unauthorized or unknown network connections and improperly secured or managed devices are some of the areas that hackers (state-sponsored or not) seek to exploit, and they should be identified and investigated using the tools and techniques available today so that security measures can be either activated or adjusted to effectively mitigate the risk of unwanted access.
While it is true that not every possible attack can be averted, the nation currently has the capability to greatly reduce potential threats based on known vulnerabilities. By guarding against attacks which seek out weak areas of the national cyber infrastructure, it is possible to prevent a large percentage of potential attacks.
Historically, a nation could tell an invasion was imminent when the telephone lines were cut. Today, it’s unnecessary to cut the lines—a sophisticated distributed denial of service attack can shut down phone systems, power and water controls, and interrupt financial transactions. This is exactly what happened shortly before Russian troops crossed the border into the Republic of Georgia. Cyber security protects much more than state secrets. It quite literally protects our national infrastructure and the backbone of our economy.
Cyber security has lagged under the Bush administration, which, in today’s interconnected world, has left a gaping hole in the United States’ national security system. The president-elect has made a good start by deciding to appoint a National CTO, but an additional immediate priority should be to appoint a national CSO who will ensure that the Nation’s cyber security is job one.
Michael Markulec has more than 20 years of experience in computer networking and software. At Lumeta, he is responsible for both operational and strategic leadership of Lumeta’s Network Assurance solutions.